Closed
Bug 642329
Opened 13 years ago
Closed 12 years ago
[adbe 2874487] Flash related Plugin Crash [@ _moz_cairo_surface_set_user_data] with null surface | ASSERTION: Cannot create optimized surface: 'Error'
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: bc, Unassigned)
References
()
Details
(Keywords: assertion, crash, Whiteboard: [sg:dos?])
Crash Data
Attachments
(1 file)
12.75 KB,
text/plain
|
Details |
1. http://www.myspace.com/kartoff 2. Crash in plugin-container with Flash 10.2.152.26 on 2.0.0 total virtual memory quickly hits 2G and quickly fluctuates up to 4G and back down with ASSERTION: Cannot create optimized surface: 'Error', file c:/work/mozilla/builds/2.0.0/mozilla/dom/plugins/PluginInstanceChild.cpp, line 2516 repeated about 1700 times. on 1.9.2 it hits almost 8G and I got a funny break point in RealBreak() and a bunch of urls in the console like: http://www.myspace.com/search/Videos?q=%D0%9C%D0%BE%D0%BB%D0%BE%D1%85.%20%D1%80%D0%B5%D0%B6.%20%D0%9C%D0%B0%D1%80%D1%82%D0%B8%D0%BD%20%D0%9F%D0%B0%D1%86%D0%B5%D1%80%D0%B0%0D%0A%0D%0A%D0%98%D0%BD%D0%B4%D1%83%D1%81%D1%82%D1%80%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D0%B0%D1%8F%20%D1%8D%D0%BD%D0%B5%D1%80%D0%B3%D0%BE%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B0 Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0xc Assertion: Unknown assertion type 0x00000000 Thread 0 (crashed) 0 xul.dll!_moz_cairo_surface_set_user_data [cairo-surface.c : 706 + 0x3] eip = 0x019f4526 esp = 0x0012eeac ebp = 0x0012eeac ebx = 0x00000000 esi = 0x04098618 edi = 0x7c90e920 eax = 0x00000000 ecx = 0x040ffe58 edx = 0x040ffe58 efl = 0x00210216 Found by: given as instruction pointer in context 1 xul.dll!mozilla::gfx::SharedDIBSurface::InitSurface(unsigned int,unsigned int,bool) [SharedDIBSurface.cpp : 85 + 0x16] eip = 0x009292aa esp = 0x0012eeb4 ebp = 0x0012eedc Found by: call frame info 2 xul.dll!mozilla::gfx::SharedDIBSurface::Create(HDC__ *,unsigned int,unsigned int,bool) [SharedDIBSurface.cpp : 57 + 0x13] eip = 0x0092919c esp = 0x0012eee4 ebp = 0x0012eef8 Found by: call frame info 3 xul.dll!mozilla::plugins::PluginInstanceChild::CreateOptSurface() [PluginInstanceChild.cpp : 2390 + 0x20] eip = 0x007ca759 esp = 0x0012ef00 ebp = 0x0012ef48 Found by: call frame info 4 xul.dll!mozilla::plugins::PluginInstanceChild::EnsureCurrentBuffer() [PluginInstanceChild.cpp : 2515 + 0x7] eip = 0x007cabe6 esp = 0x0012ef50 ebp = 0x0012efa4 Found by: call frame info 5 xul.dll!mozilla::plugins::PluginInstanceChild::ShowPluginFrame() [PluginInstanceChild.cpp : 2914 + 0xa] eip = 0x007cbc1d esp = 0x0012efac ebp = 0x0012f0f4 Found by: call frame info 6 xul.dll!mozilla::plugins::PluginInstanceChild::InvalidateRectDelayed() [PluginInstanceChild.cpp : 3109 + 0x7] eip = 0x007ccefe esp = 0x0012f0fc ebp = 0x0012f100 Found by: call frame info 7 xul.dll!DispatchToMethod<mozilla::plugins::PluginInstanceChild,void ( mozilla::plugins::PluginInstanceChild::*)(void)>(mozilla::plugins::PluginInstanceChild *,void ( mozilla::plugins::PluginInstanceChild::*)(void),Tuple0 const &) [tuple.h : 383 + 0x8] eip = 0x007cfccc esp = 0x0012f108 ebp = 0x0012f108 Found by: call frame info 8 xul.dll!RunnableMethod<mozilla::plugins::PluginInstanceChild,void ( mozilla::plugins::PluginInstanceChild::*)(void),Tuple0>::Run() [task.h : 307 + 0x1d] eip = 0x007cf50e esp = 0x0012f110 ebp = 0x0012f124 Found by: call frame info 9 xul.dll!MessageLoop::RunTask(Task *) [message_loop.cc : 343 + 0xc] eip = 0x01911dbe esp = 0x0012f12c ebp = 0x0012f14c Found by: call frame info 10 xul.dll!MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &) [message_loop.cc : 351 + 0xd] eip = 0x01911e2e esp = 0x0012f154 ebp = 0x0012f15c Found by: call frame info ss because this smells.
Comment 1•13 years ago
|
||
This renders my browser non-responsive on Mac (Fx4rc) as the memory usage goes up to about 2G and I have to force quit.
Comment 2•13 years ago
|
||
The memory use seems bad, but the actual crash looks benign. Do we want to report this as a potentially malicious .swf to Adobe?
Reporter | ||
Comment 3•13 years ago
|
||
Sal (cc'd here) should already be notified. Sal?
Comment 4•13 years ago
|
||
Joe thinks we failed to check whether we were able to create the cairo surface in an OOM situation. missing null check? Don't think this specific signature is scary. Do we get different crashes because of the OOM that look worse?
Whiteboard: [sg:dos?]
Comment 5•13 years ago
|
||
https://crash-stats.mozilla.com/report/index/18df0298-6ce5-4a57-b78b-5fcd12110324 http://mxr.mozilla.org/mozilla-central/source/gfx/thebes/gfxImageSurface.cpp#73 doesn't return an error code, what are we supposed to check in that case? Called from here: http://hg.mozilla.org/mozilla-central/annotate/a7346f028fd6/gfx/ipc/SharedDIBSurface.cpp#l82
Comment 6•13 years ago
|
||
gfxASurface::CairoStatus() should return 0 if everything went ok.
Reporter | ||
Comment 7•13 years ago
|
||
This is the only one I've seen in automation. The related socorro signature is _PR_MD_PR_POLL which is filed as bug 612270 and which had about 1500 crashes in the last week. 293 are @0x0 | _PR_MD_PR_POLL but 1242 have scattered crash addresses.
Comment 8•13 years ago
|
||
Why do you think this has something to do with _PR_MD_PR_POLL? It doesn't appear to be related.
Reporter | ||
Comment 9•13 years ago
|
||
Just that the url is provided to me from socorro due to a user crashing there and they had that signature.
Reporter | ||
Comment 10•13 years ago
|
||
update crash bugs to critical per guidelines.
Severity: normal → critical
Reporter | ||
Comment 11•13 years ago
|
||
This still occurs with Flash 10.3 on Windows XP/Windows 7. Charles, is Sal still involved in helping us with Flash related crashes?
Comment 12•13 years ago
|
||
Yes Sal is still on the forefront for these issues. I'll ping him on this one.
Comment 13•13 years ago
|
||
i'm here... the issue is internally referenced in 2874487.
Assignee: nobody → smadayag
Status: NEW → ASSIGNED
Summary: Flash related Plugin Crash [@ _moz_cairo_surface_set_user_data] with null surface | ASSERTION: Cannot create optimized surface: 'Error' → [adbe 2874487] Flash related Plugin Crash [@ _moz_cairo_surface_set_user_data] with null surface | ASSERTION: Cannot create optimized surface: 'Error'
Reporter | ||
Comment 14•13 years ago
|
||
Hit this again on http://www.myspace.com/apollo225 with Windows XP and aurora with the addition of a Assertion failure: !entered && i < mLength, at c:\work\mozilla\builds\aurora\mozilla\js\src\jsvector.h:320
Reporter | ||
Comment 15•13 years ago
|
||
note the crashing thread does not have flash but the extra dump file flags NPSWF as the plugin in plugin-container.
Reporter | ||
Comment 16•13 years ago
|
||
reproduced with Flash 10.3.181.22 on Firefox 4, beta, aurora, nightly on Windows 7 but not Windows XP. Sal, do you think this is an Adobe issue or a Firefox issue? If you think this is a Firefox issue, please reassign to the default owner. Thanks.
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ _moz_cairo_surface_set_user_data]
Comment 17•13 years ago
|
||
i've ask the dev assigned for his assessment. i'll comment when he posts.
Crash Signature: [@ _moz_cairo_surface_set_user_data]
Updated•13 years ago
|
Crash Signature: [@ _moz_cairo_surface_set_user_data]
Reporter | ||
Comment 18•13 years ago
|
||
Now with Flash 10.3.181.26 only reproducible on Windows 7
OS: Windows XP → Windows 7
Reporter | ||
Comment 19•13 years ago
|
||
reproducible with http://www.barbariki.ru/index.php?page=103 WIndows XP and Windows 7 on Beta, Aurora, Nightly and Flash 10.3.183.5
Comment 20•13 years ago
|
||
awesome. the barbariki URL will make it easier for dev to troubleshoot. thanks bob...
Comment 21•13 years ago
|
||
here are the dev notes:
3.6.18 works flawlesly on this site. I upgraded to 5.0 and ran into two separate problems.
1. In in-process mode with the plugin, unless the window was wide enough, the menus do not display anything. If i rollover a menu item or generate an animation, i do not get an updaterect call to draw anything. Only when the window is resized larger to the menus appear correctly.
2. In out-of-process pl ugin mode, I get a crash but it is in the XUL.dll. I don't see anything bad from Flash itself. The crashing stack with a bad access at 0x0000000c.
> xul.dll!5a84d3e4()
[Frames below may be incorrect and/or missing, no symbols loaded for xul.dll]
xul.dll!5aaee615()
xul.dll!5ab29fe0()
xul.dll!5ae41974()
xul.dll!5ae47a99()
xul.dll!5ae4a025()
xul.dll!5ae4dd33()
xul.dll!5a7edd46()
xul.dll!5a7edd6a()
xul.dll!5a5f5b00()
xul.dll!5ac15fa5()
xul.dll!5a7ede4d()
xul.dll!5a7ede18()
xul.dll!5a7da7f0()
xul.dll!5a9cf4ef()
xul.dll!5a7da785()
xul.dll!5ae4bd56()
ntdll.dll!77e6fada()
KernelBase.dll!7589e58f()
mozcrt19.dll!67346ffd()
plugin-container.exe!013b124d()
plugin-container.exe!013b1402()
kernel32.dll!76de339a()
ntdll.dll!77e89ed2()
Reporter | ||
Comment 22•13 years ago
|
||
Since this is most likely a bug in our code, I'll reassign it.
Assignee: smadayag → nobody
Reporter | ||
Updated•13 years ago
|
Status: ASSIGNED → NEW
Reporter | ||
Comment 23•13 years ago
|
||
dveditz: any reason to keep this hidden anymore? The consensus appears to be this is just a dos and not a security issuue.
Reporter | ||
Comment 25•13 years ago
|
||
Reproducible now with http://www.barbariki.ru/index.php?page=103 with Firefox 7/Windows XP debug and opt builds. bp-cb1880b2-07b2-4945-b77b-72ab42110927
Reporter | ||
Comment 26•13 years ago
|
||
http://www.watchfomny.com/Video/United-kindom/Family-Guy/Family-Guy.htm (might be copyright violation) contains the following <iframe src='http://www.seeon.tv/embedplayer.php?width=350&height=290360&channel=20796&autoplay=true' frameborder='0' marginheight='0' marginwidth='0' scrolling='no' width='350' height='290360'> which in a Nightly debug builds with Flasdh 11.0.1.152 results in ###!!! ABORT: Expected SharedDIBSurface!: file c:/work/mozilla/builds/nightly/mozilla/dom/ plugins/ipc/PluginInstanceChild.cpp, line 2751 Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_BREAKPOINT Crash address: 0x7c90120e Assertion: Unknown assertion type 0x00000000 Thread 0 (crashed) 0 ntdll.dll + 0x120e eip = 0x7c90120e esp = 0x0012ea34 ebp = 0x0012ea38 ebx = 0x00000001 esi = 0x0423a148 edi = 0x7c90e920 eax = 0x00000000 ecx = 0x00000001 edx = 0x00000000 efl = 0x00200212 Found by: given as instruction pointer in context 1 xul.dll!NS_DebugBreak_P [nsDebugImpl.cpp : 340 + 0x4] eip = 0x0188e563 esp = 0x0012ea40 ebp = 0x0012ee58 Found by: previous frame's frame pointer 2 xul.dll!mozilla::plugins::PluginInstanceChild::UpdateWindowAttributes(bool) [PluginInstanceChild.cpp : 2751 + 0x17] eip = 0x016bcb0f esp = 0x0012ee60 ebp = 0x0012eec8 Found by: call frame info 3 xul.dll!mozilla::plugins::PluginInstanceChild::PaintRectToPlatformSurface(nsIntRect const &,gfxASurface *) [PluginInstanceChild.cpp : 2824 + 0x9] eip = 0x016bcd43 esp = 0x0012eed0 ebp = 0x0012eef4 Found by: call frame info 4 xul.dll!mozilla::plugins::PluginInstanceChild::PaintRectToSurface(nsIntRect const &,gfxASurface *,gfxRGBA const &) [PluginInstanceChild.cpp : 2951 + 0x14] eip = 0x016bcf37 esp = 0x0012eefc ebp = 0x0012ef88 Found by: call frame info 5 xul.dll!mozilla::plugins::PluginInstanceChild::ShowPluginFrame() [PluginInstanceChild.cpp : 3221 + 0x43] eip = 0x016bdbc9 esp = 0x0012ef90 ebp = 0x0012f0f0 Found by: call frame info 6 xul.dll!mozilla::plugins::PluginInstanceChild::InvalidateRectDelayed() [PluginInstanceChild.cpp : 3353 + 0x7] eip = 0x016be281 esp = 0x0012f0f8 ebp = 0x0012f0fc Found by: call frame info 7 xul.dll!DispatchToMethod<mozilla::plugins::PluginInstanceChild,void ( mozilla::plugins::PluginInstanceChild::*)(void)>(mozilla::plugins::PluginInstanceChild *,void ( mozilla::plugins::PluginInstanceChild::*)(void),Tuple0 const &) [ eip = 0x016c06bc esp = 0x0012f104 ebp = 0x0012f104 Found by: call frame info 8 xul.dll!RunnableMethod<mozilla::plugins::PluginInstanceChild,void ( mozilla::plugins::PluginInstanceChild::*)(void),Tuple0>::Run() [task.h : 307 + 0x1d] eip = 0x016bffbe esp = 0x0012f10c ebp = 0x0012f120 Found by: call frame info Beta and Aurora still show the original _moz_cairo_surface_set_user_data crash. Maybe this abort is related to the original crash. I didn't crash with a Nightly, Aurora or Beta opt builds on XP though. Everything here is Windows XP and Windows 7.
Reporter | ||
Comment 27•12 years ago
|
||
See Bug 700572 for test case that reproduces ABORT: Expected SharedDIBSurface! about 25% of the time.
Reporter | ||
Comment 28•12 years ago
|
||
I last saw this on 12/17 with flash 11.1.102.55. http://www.super.websnadno.cz/ucivo-a-zajimavosti.html still reproduces ABORT: Refusing to pointlessly recover alpha: 'aSurface->GetContentType() == gfxASurface::CONTENT_COLOR_ALPHA' but that is Bug 700572
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•